Florida Data Security Claims Survive Motion to Dismiss

Last week, Judge Ungaro of the Southern District of Florida granted in part and denied in part a motion to dismiss in Burrows v. Purchasing Power, LLC. The court found that the plaintiff had asserted a plausible claim under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), granted the plaintiff leave to amend his claims for negligence and common-law invasion of privacy, and dismissed without leave to amend his claims under the Stored Communications Act (SCA) and Florida Constitution.

According to the Amended Complaint, defendant Winn-Dixie Stores, Inc. transferred employees’ personally identifiable information (PII) to a third-party service provider named Purchasing Power, which allows employees to purchase goods via automatic payroll deductions. The Amended Complaint alleges that a Purchasing Power employee inappropriately accessed the Winn-Dixie employees’ PII, and that Winn-Dixie learned about the data breach in October 2011 but failed to notify employees until January 2012. Plaintiff Patrick Burrows, who was a Winn-Dixie employee, claimed that an unknown person used his compromised PII to file a false tax return under his name, leaving him unable to collect his tax refund.

As we’ve noted here and here, privacy and data security claims brought under other states’ mini-FTC Acts often have been dismissed for lack of cognizable injury; in addition, a federal court in Arizona is currently considering whether the “unfairness” provision of the federal FTC Act extends to data security. Nonetheless, the Burrows court found that the defendants had engaged in two separate unfair practices that violated the FDUTPA, Florida’s mini-FTC Act: (1) transferring employee PII to Purchasing Power regardless of whether the employees were participating in the Purchasing Power program, and (2) failing to immediately notify employees about the breach, which prevented employees from taking appropriate remedial measures. Looking to the standard for unfairness under 15 U.S.C. § 45(n), the court held that the defendants’ practices were unfair because Winn-Dixie transferred PII even for employees who were not participating in the Purchasing Power program—meaning that the injury was not reasonably avoidable by the employees and was not outweighed by any countervailing benefits.

The court found insufficient factual allegations to support Burrows’s other claims. The court directed Burrows to replead his negligence claim to clarify his claim for damages: although his allegations based on the false tax return filed in his name were sufficient to support his claim, his other allegations about the lost “monetary value” of his PII and “other economic damages” were too vague. The court dismissed his common-law invasion of privacy claim for failure to allege intentional tortious conduct. His SCA claim failed because the defendants do not provide an “electronic communications service” or a “remote computing service” as defined under the SCA. Finally, the court dismissed his state constitutional claim, because the right to privacy under the Florida Constitution applies only to government action.

The Burrows case is a useful reminder that, although the data breaches that make headlines typically involve consumer or patient data, employers also have sensitive information about their employees—and need to ensure that they and their service providers safeguard the information appropriately.